Commissioner (Cyprus) - 11.17.001.010.064
|Commissioner - 11.17.001.010.064.|
|Relevant Law:||Article 5(1)(f) GDPR|
Article 24(1) GDPR
Article 32 GDPR
|National Case Number/Name:||11.17.001.010.064.|
|European Case Law Identifier:||n/a|
|Original Source:||dataprotection.gov.cy (in EL)|
The DPA of Cyprus fined the Cyprus electricity authority €5,000 for violations of Articles 5(1)(f), 24(1) and 32 GPDR for delivering a consent form containing personal data to the data subject's neighbour, resulting in an unauthorized disclosure of personal data to a third party.
English Summary[edit | edit source]
Facts[edit | edit source]
The Cyprus electricity authority (controller) intended to place a power line on the data subject's land. The controller sent the data subject a consent form for the placement of this power line. However, an employee of the controller delivered the consent form, which contained personal data, to the neighbour of data subject. The data subject filed a complaint at the Cyprus DPA (DPA) on 11 April 2022.
The controller also submitted a notice of the violation of this incident to the DPA. The controller stated that the employee had realised his mistake and had apologised. The controller acknowledged the violation, apologised for it and stated that this violation was committed out of negligence and human error, and not out of malice. The controller had previously organised periodic briefings and GDPR related training sessions for its staff (not attended by the employee in question). However, the controller also acknowledged the need for further training for its staff and had already planned further training sessions. The controller also confirmed that it had not set out specific procedures and measures which described how its staff would conduct service and also admitted that the deliverance of the consent form to the neighbour was contrary to Article 31 of the Electricity Law (KEF.170), which stated that the consent form can only delivered to the owner of the land, in this case the data subject.
Holding[edit | edit source]
Violation of Article 24(1) GDPR
The DPA determined that the controller violated Article 24(1) GDPR, because the controller did not implement appropriate technical and organizational measures in advance to ensure that its processing was GDPR compliant. The DPA confirmed that the procedure described in Article 31 KEF.170 did not enable the possibility to provide the consent form to another party other than the land owner (data subject). The controller did not implement measures to detect and/or verify any breach. The DPA stated that the controller would have been able to the determine whether the consent form was delivered to the owner, if it had established a procedure that would allow it to check this. The DPA provided two examples how this violation could have been avoided. One example was that the controller could deliver the form in duplicate. This way, one of the two forms could be returned to the controller with a signature from the data subject to confirm the delivery of the consent form. The DPA later confirmed that the controller had adopted this recommendation.
Violation of Articles 5(1)(f) and 32 GDPR
The DPA also determined that the controller violated Article 32 GDPR, because the controller did not implement appropriate measures in advance in order to prevent the unauthorized disclosure of the consent form. The DPA stated that the controller had the sole responsibility as the controller for training and informing its staff. This responsibility was also accepted by the controller. The training and periodic briefings that the controller already provided were deemed inadequate by the DPA.
The DPA also determined that the controller violated the principle of integrity and confidentiality (Article 5(1)(f) GDPR) because the personal data of the data subject was processed in such a way that allowed unauthorized and/or unlawful processing.
After considering several mitigating (8) and aggravating (6) factors, the DPA fined the controller €5,000. For example, The DPA considered the fact that the breach only affected one data subject as a mitigating factor, while it considered the non-participation of all staff in data protection related training as an aggravating factor.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.